Hello, We have a the need to be able to collect a collection of files that would be our Standard template of collecte and to add another template to collecte specific files. The goal is to limite the risk for disruption of other logging on the same system and to be able to modify the standard without any impact of the specific files. Is this possible and if so how to do it. Regards Edouard MORAGUES

Hi, seems there is a bug in im_msvistalog module in nxlog-ce-3.0.2272 for Windows. After service has generated some output, stopping service sometimes give the message box "Broken pipe" and sometimes Nxlog write a malformed configcache.dat and following the start posts an ERROR failed to restore the saved position from bookmark xml (error:15008)" Tested on Windows 2012 R2 and Windows 2019 <Output out> Module om_file File '%LOGDIR%\Output' </Output> <Input _im_eventlog> Module im_msvistalog SavePos TRUE <QueryXML> <QueryList> <Query Id='1'> <Select Path='Security'>*</Select> </Query> </QueryList> </QueryXML> # Query <QueryList>\ # <Query Id='0'>\ # <Select Path="Security">*</Select>\ # </Query>\ # </QueryList> </Input> #<Output outNull> # Module om_null #</Output> <Route RouteA> Path _im_eventlog => out </Route> This issue make the module not worth to use because not saving the bookmark of the processed registry record, force it to generate same logs from start over each service restart. Best.

Hi, We have this error ERROR binary header not found at position 0 in data received from xxx.xxx.xxx.xxx is input really binary? Any hint will be appreciated. Regards, K

Has anyone successfully send logs from NXLog to New Relic? I've tried using om_tcp, om_ssl, om_http to send syslogs to New Relic but I keep running into issues with NXLog. For example: ERROR [om_http|out] SSL error, SSL_ERROR_SSL: retval -1, from 162.247.243.181:443, reason: sslv3 alert handshake failure ERROR [om_http|out] [ssl.c:209/nx_ssl_error()] SSL error, SSL_ERROR_SSL: retval -1, from 162.247.243.181:443, ( reason: unsupported protocol, function: SSL23_GET_SERVER_HELLO, library: SSL routines ) I've tried both the TCP endpoint for syslogs and the headerless API log endpoint, and if I send a curl -X POST with some JSON data to the New Relic log endpoint, it works fine without any issues. Any ideas?

Hi, It is possible to use Nxlog to pull logs from ELK to the Nxlog Manager? Thanks

Hi, I am Configuring om_ssl module for <Output tcpssl> for CE and successful in sending logs to logstash over SSL, however if I remove CertKeyFile I get an error "ERROR SSL error, SSL_ERROR_SSL: retval 0, sslv3 alert bad certificate". My question is why is private key desired here? Thanks, Sidd

Hello, When I install nxlog with an Administrator account and then try to uninstall with another account (even with admin privileges) I'm having issues, and I'm not able to do it. Any idea how to solve this issue?

Hi, I'm new to NXLog. Still learning how to deploy NXLog Manager and the agents. I'll like to know where can I download sample Verbatim templates for different environments like Linux, Windows Server, Windows 10 and so on. And also the configuration template to SIEM like LogRhythm and Splunk. TIA !

Hi, We are using nxlog ce-2.11.2190.msi to forward windows server event logs to our SIEM. And now we are seeing an issue that the $message of events with ID 4624/4625/4xxx are missing, while those of event with ID 7xxx are shown completely. This issue will be temporarily fixed if we restarted the nxlog service, but the same problem comes back after nxlog service running for a while. This is what we see on SIEM. And the complete events should be like: [Our server’s system language is Traditional Chinese, so the $message is displayed as bytes] Apr 12 18:19:36 win2k12.ahsuhome.local Microsoft-Windows-Security-Auditing[500]: Microsoft-Windows-Security-Auditing: 4634: \0xe5\0xb8\0xb3\0xe6\0x88\0xb6\0xe5\0xb7\0xb2\0xe7\0x99\0xbb\0xe5\0x87\0xba\0xe3\0x80\0x82 \0xe4\0xb8\0xbb\0xe6\0x97\0xa8: \0x09\0xe5\0xae\0x89\0xe5\0x85\0xa8\0xe6\0x80\0xa7\0xe8\0xad\0x98\0xe5\0x88\0xa5\0xe7\0xa2\0xbc:\0x09\0x09S-1-5-18 \0x09\0xe5\0xb8\0xb3\0xe6\0x88\0xb6\0xe5\0x90\0x8d\0xe7\0xa8\0xb1:\0x09\0x09WIN2K12$ \0x09\0xe5\0xb8\0xb3\0xe6\0x88\0xb6\0xe7\0xb6\0xb2\0xe5\0x9f\0x9f:\0x09\0x09AHSUHOME \0x09\0xe7\0x99\0xbb\0xe5\0x85\0xa5\0xe8\0xad\0x98\0xe5\0x88\0xa5\0xe7\0xa2\0xbc:\0x09\0x090x367342 \0xe7\0x99\0xbb\0xe5\0x85\0xa5\0xe9\0xa1\0x9e\0xe5\0x9e\0x8b:\0x09\0x09\0x093 \0xe7\0x95\0xb6\0xe7\0x99\0xbb\0xe5\0x85\0xa5\0xe5\0xb7\0xa5\0xe4\0xbd\0x9c\0xe9\0x9a\0x8e\0xe6\0xae\0xb5\0xe6\0x90\0x8d\0xe6\0xaf\0x80\0xe6\0x99\0x82\0xef\0xbc\0x8c\0xe5\0xb0\0xb1\0xe6\0x9c\0x83\0xe7\0x94\0xa2\0xe7\0x94\0x9f\0xe9\0x80\0x99\0xe5\0x80\0x8b\0xe4\0xba\0x8b\0xe4\0xbb\0xb6\0xe3\0x80\0x82\0xe9\0x80\0x99\0xe5\0x80\0x8b\0xe4\0xba\0x8b\0xe4\0xbb\0xb6\0xe5\0x8f\0xaf\0xe8\0x83\0xbd\0xe8\0x88\0x87\0xe4\0xbd\0xbf\0xe7\0x94\0xa8\0xe7\0x99\0xbb\0xe5\0x85\0xa5\0xe8\0xad\0x98\0xe5\0x88\0xa5\0xe7\0xa2\0xbc\0xe6\0x95\0xb8\0xe5\0x80\0xbc\0xe7\0x9a\0x84\0xe7\0x99\0xbb\0xe5\0x85\0xa5\0xe4\0xba\0x8b\0xe4\0xbb\0xb6\0xe6\0xad\0xa3\0xe9\0x9d\0xa2\0xe7\0x9b\0xb8\0xe9\0x97\0x9c\0xe3\0x80\0x82\0xe7\0x99\0xbb\0xe5\0x85\0xa5\0xe8\0xad\0x98\0xe5\0x88\0xa5\0xe7\0xa2\0xbc\0xe5\0x83\0x85\0xe6\0x9c\0x89\0xe5\0x9c\0xa8\0xe9\0x87\0x8d\0xe6\0x96\0xb0\0xe5\0x95\0x9f\0xe5\0x8b\0x95\0xe7\0x9b\0xb8\0xe5\0x90\0x8c\0xe9\0x9b\0xbb\0xe8\0x85\0xa6\0xe4\0xb9\0x8b\0xe9\0x96\0x93\0xe6\0x89\0x8d\0xe6\0x9c\0x83\0xe6\0x98\0xaf\0xe5\0x94\0xaf\0xe4\0xb8\0x80\0xe7\0x9a\0x84\0xe3\0x80\0x82 Our config is as below: define SIEM_IP 10.0.0.253 define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension syslog> Module xm_syslog </Extension> <Input in_eventlog> Module im_msvistalog ReadFromLast TRUE SavePos TRUE Query <QueryList> \ <Query Id="0"> \ <Select Path="Security">*[System[(EventID=1100 or EventID=1102)]]</Select> \ <Select Path="Security">*[System[(EventID=4768 or EventID=4769 or EventID=4771)]]</Select> \ <Select Path="Security">*[System[(EventID=4616 or EventID=4657)]]</Select> \ <Select Path="Security">*[System[(EventID=4624 or EventID=4625 or EventID=4634 or EventID=4647 or EventID=4648)]]</Select> \ <Select Path="Security">*[System[(EventID=5140 or EventID=5142 or EventID=5143 or EventID=5144 or EventID=5145 or EventID=5168)]]</Select> \ <Select Path="Security">*[System[(EventID=4656 or EventID=4658 or EventID=4660 or EventID=4663 or EventID=4664 or EventID=4985 or EventID=5051 or EventID=4670)]]</Select> \ <Select Path="Security">*[System[(EventID=4719 or EventID=4739)]]</Select> \ <Select Path="Security">*[System[(EventID=4720 or EventID=4722 or EventID=4723 or EventID=4724 or EventID=4725 or EventID=4726 or EventID=4738 or EventID=4740 or EventID=4767)]]</Select> \ <Select Path="Security">*[System[(EventID=4727 or EventID=4728 or EventID=4729 or EventID=4730 or EventID=4731 or EventID=4732 or EventID=4733 or EventID=4734 or EventID=4735 or EventID=4737 or EventID=4764)]]</Select> \ <Select Path="Security">*[System[(EventID=4741 or EventID=4742 or EventID=4743)]]</Select> \ <Select Path="Security">*[System[(EventID=4744 or EventID=4745 or EventID=4748)]]</Select> \ <Select Path="Security">*[System[(EventID=4749 or EventID=4750 or EventID=4753)]]</Select> \ <Select Path="Security">*[System[(EventID=4754 or EventID=4755 or EventID=4756 or EventID=4758 or EventID=4759 or EventID=4760 or EventID=4763)]]</Select> \ <Select Path="Security">*[System[(EventID=4778)]]</Select> \ <Select Path="Security">*[System[(EventID=4783)]]</Select> \ <Select Path="Security">*[System[(EventID=4800 or EventID=4801)]]</Select> \ <Select Path="System">*[System[(EventID=7036)]]</Select> \ </Query> \ </QueryList> </Input> <Output out_eventlog> Module om_udp Host %SIEM_IP% Port 514 Exec $SyslogFacilityValue = 17; Exec $Message = string($SourceName) + ": " + string($EventID) + ": " + $Message; Exec if ($EventType == 'ERROR' or $EventType == 'AUDIT_FAILURE') { $SyslogSeverityValue = 3; } \ else if ($EventType == 'WARNING') { $SyslogSeverityValue = 4; } \ else if ($EventType == 'INFO' or $EventType == 'AUDIT_SUCCESS') { $SyslogSeverityValue = 5; } Exec to_syslog_bsd(); </Output> <Route eventlog> Path in_eventlog => out_eventlog </Route> Any ideas about how can this happen will be appreciated.

Is there a way to control the serialisation nxlog does on the logs sent to kafka via om_kafka? Firstly i do not know how they serialise the messages sent to kafka as a result when I read these messages from kafka, i end up facing de-serialisation errors.

Hello, i havent found any official statement about supporting windows server 2022 by nxlog. Our customer is asking us about that. Is nxlog 5.0 supporting log collection for Windows server 2022?

Hey Guys, we are trying to send out our Windows DHCP logs which requires us to massage the log before we can send it out to the remote server. Afraid I am not able to get the CSV Parser running, so far only the drop logic works, the intended output $Message does not come up in our output ` Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32, UCS-2LE </Extension> <Extension dhcp_csv_parser> Module xm_csv Fields ID, Date, Time, Description, IPAddress, Hostname, MACAddress, \ UserName, TransactionID, QResult, ProbationTime, CorrelationID, \ DHCID, VendorClassHex, VendorClassASCII, UserClassHex, \ UserClassASCII, RelayAgentInformation, DnsRegError </Extension> <Extension _exec> Module xm_exec </Extension> <Input ironnet_DHCPlogs> Module im_file File "C:\Windows\System32\dhcp\DhcpSrvLog-*.log" ReadFromLast TRUE SavePos TRUE <Exec> # Only process lines that begin with an event ID if $raw_event =~ /^\d+,/ { dhcp_csv_parser->parse_csv(); $QResult = integer($QResult); if $QResult == 0 $QMessage = "NoQuarantine"; else if $QResult == 1 $QMessage = "Quarantine"; else if $QResult == 2 $QMessage = "Drop Packet"; else if $QResult == 3 $QMessage = "Probation"; else if $QResult == 6 $QMessage = "No Quarantine Information"; $EventTime = strptime($Date + ' ' + $Time, '%m/%d/%y %H:%M:%S'); $ID = integer($ID); $ColonMAC = $MACAddress; if $ColonMAC =~ /^([0-9a-fA-F]{2})([0-9a-fA-F]{2})([0-9a-fA-F]{2})([0-9a-fA-F]{2})([0-9a-fA-F]{2})([0-9a-fA-F]{2})$/ { $ColonMAC = $1 + ":" + $2 + ":" + $3 + ":" + $4 + ":" + $5 + ":" + $6; } # DHCP Event IDs if $ID == 0 $Message = "The log was started."; else if $ID == 1 $Message = "The log was stopped."; else if $ID == 2 $Message = "The log was temporarily paused due to low disk space."; else if ($ID >= 10 and $ID <= 16) $Message = $Description + " |" + $IPAddress + " |" + $ClientHostname + " |" + $MACAddress + " |" + $UserName + " |" + $ColonMac; else if $ID == 17 drop(); else if $ID == 18 drop(); else if ($ID >= 20 and $ID <= 23) $Message = $Description + " |" + $IPAddress + " |" + $ClientHostname + " |" + $MACAddress + " |" + $UserName; else if $ID == 24 $Message = "IP address cleanup operation has began."; else if $ID == 25 $Message = "IP address cleanup statistics."; else if $ID == 30 drop(); else if $ID == 31 drop(); else if $ID == 32 drop(); else if $ID == 33 $Message = $Description + " |" + $IPAddress + " |" + $ClientHostname + " |" + $MACAddress + " |" + $UserName; else if $ID == 34 drop(); else if $ID == 35 drop(); else if $ID == 36 drop(); else if ($ID >= 50 and $ID < 1000) $Message = "Codes above 50 are used for Rogue Server Detection " + "information."; else drop(); } </Exec> </Input> <Output out_ionnet_datacollector2> Module om_udp Host 172.16.10.42 Port 514 OutputType LineBased </Output> <Route ionnet_DHCPlogs> Path ionnet_DHCPlogs => out_ionnet_datacollector2 </Route> ` Input 30,04/05/22,16:04:58,DNS Update Request,10.41.22.51,P21023LAB.HEALTH.LOCAL,,,0,6,,,,,,,,,0 11,04/05/22,16:04:58,Renew,10.41.22.51,P2103LAB.HEALTH.LOCAL,98EECBDE1CDE,,179078305,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0 32,04/05/22,16:04:58,DNS Update Successful,10.41.22.51,P2103LAB.HEALTH.LOCAL,,,0,6,,,,,,,,,0 Output 11,04/05/22,16:04:58,Renew,10.41.22.51,P2103LAB.HEALTH.LOCAL,98EECBDE1CDE,,179078305,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

Hi I have been trying to get this to work for 2 days but its not happening! i have a log that sometimes has java call stack errors (multiline) i ship these to graylog using nxlog. As you have guesed i have one log per line. So serched and found the xm_multiline module . Great but i cant get it to work as expected. I have tried many variations of regex but the output i get is not good . To test Im using txt files in and out.. From time to time I point to graylog but its never correct. Sample data:(stack shortened so not to fill up this forum message) 09:56:29.278 [TEST TEST] ERROR o.z.p.spring.common.AdviceTraits - Internal Server Error 09:56:30.278 [TEST TEST] ERROR o.z.p.spring.common.AdviceTraits - Internal Server Error 11:49:30.278 [TEST TEST] ERROR o.z.p.spring.common.AdviceTraits - Internal Server Error java.lang.NullPointerException: null at org.apache.xmlbeans.impl.store.Cur.listRemove(Cur.java:2788) at org.apache.xmlbeans.impl.store.Locale.embedCurs(Locale.java:2796) at org.apache.xmlbeans.impl.store.Cur.moveNode(Cur.java:1953) at org.apache.xmlbeans.impl.store.Cur.moveNode(Cur.java:1846) at org.apache.xmlbeans.impl.store.Cur.createHelper(Cur.java:287) at org.apache.xmlbeans.impl.store.Cur.createAttr(Cur.java:211) at org.apache.xmlbeans.impl.store.Xobj.setAttr(Xobj.java:559) at org.apache.xmlbeans.impl.store.Xobj.add_attribute_user(Xobj.java:2272) at org.openxmlformats.schemas.spreadsheetml.x2006.main.impl.CTCellImpl.setR(Unknown Source) at org.apache.poi.xssf.usermodel.XSSFCell.setCellNum(XSSFCell.java:911) at org.apache.poi.xssf.usermodel.XSSFRow.createCell(XSSFRow.java:226) at org.apache.poi.xssf.usermodel.XSSFRow.createCell(XSSFRow.java:200) at com.lexisnexis.bis.act.export.util.ExcelUtil.generateRowCell(ExcelUtil.java:73) at com.lexisnexis.bis.act.export.util.ExcelUtil.generateRowCell(ExcelUtil.java:60) at com.lexisnexis.bis.act.export.service.ExcelService.generateRowArticleData(ExcelService.java:441) at com.lexisnexis.bis.act.export.service.ExcelService.generateRowArticle(ExcelService.java:402) at com.lexisnexis.bis.act.export.service.ExcelService.generateRowArticle(ExcelService.java:372) at com.lexisnexis.bis.act.export.service.ExcelService.generateSheetArticles(ExcelService.java:242) at com.lexisnexis.bis.act.export.service.ExcelService.generateExport(ExcelService.java:212) 11:42:30.278 [TEST test2] ERROR o.z.p.spring.common.AdviceTraits - Internal Server Error 11:42:30.278 [TEST test2] ERROR o.z.p.spring.common.AdviceTraits - Internal Server Error NXLOG Config Panic Soft NoCache TRUE #Loglevel ERROR Loglevel INFO define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _gelf> Module xm_gelf #Avoid truncation of the short_message field to 64 characters. ShortMessageLength 65536 </Extension> <Extension multi> Module xm_multiline HeaderLine /^\d\d:\d\d:\d\d/ </Extension> #ACT <Input in> Module im_file FILE "C:\test.log" InputType multi ReadFromLast False SavePos False </Input> <Output gelf> Module om_tcp Host 192.168.xx Port 12222 OutputType GELF_TCP <Exec> # These fields are needed for Graylog $gl2_source_collector = '72f7289a-7cf5-4ae5-af7f-0428371459f4'; $collector_node_id = hostname(); </Exec> </Output> <Output out> Module om_file File "C:\test_out.txt" </Output> <Route 3> Path in => out </Route> OUTPUT: 09:56:29.278 [TEST TEST] ERROR o.z.p.spring.common.AdviceTraits - Internal Server Error഍ ਍　㤀㨀㔀㘀㨀㌀　⸀㈀㜀㠀 嬀吀䔀匀吀 吀䔀匀吀崀 䔀刀刀伀刀 漀⸀稀⸀瀀⸀猀瀀爀椀渀最⸀挀漀洀洀漀渀⸀䄀搀瘀椀挀攀吀爀愀椀琀猀 ⴀ 䤀渀琀攀爀渀愀氀 匀攀爀瘀攀爀 䔀爀爀漀爀ഀ਍ഀ 11:49:30.278 [TEST TEST] ERROR o.z.p.spring.common.AdviceTraits - Internal Server Error഍ ਍樀愀瘀愀⸀氀愀渀最⸀一甀氀氀倀漀椀渀琀攀爀䔀砀挀攀瀀琀椀漀渀㨀 渀甀氀氀ഀ਍ഀ at org.apache.xmlbeans.impl.store.Cur.listRemove(Cur.java:2788)഍ ਍ऀ愀琀 漀爀最⸀愀瀀愀挀栀攀⸀砀洀氀戀攀愀渀猀⸀椀洀瀀氀⸀猀琀漀爀攀⸀䰀漀挀愀氀攀⸀攀洀戀攀搀䌀甀爀猀⠀䰀漀挀愀氀攀⸀樀愀瘀愀㨀㈀㜀㤀㘀⤀ഀ਍ഀ at org.apache.xmlbeans.impl.store.Cur.moveNode(Cur.java:1953)഍ ਍ऀ愀琀 漀爀最⸀愀瀀愀挀栀攀⸀砀洀氀戀攀愀渀猀⸀椀洀瀀氀⸀猀琀漀爀攀⸀䌀甀爀⸀洀漀瘀攀一漀搀攀⠀䌀甀爀⸀樀愀瘀愀㨀㄀㠀㐀㘀⤀ഀ਍ഀ at org.apache.xmlbeans.impl.store.Cur.createHelper(Cur.java:287)഍ ਍ऀ愀琀 漀爀最⸀愀瀀愀挀栀攀⸀砀洀氀戀攀愀渀猀⸀椀洀瀀氀⸀猀琀漀爀攀⸀䌀甀爀⸀挀爀攀愀琀攀䄀琀琀爀⠀䌀甀爀⸀樀愀瘀愀㨀㈀㄀㄀⤀ഀ਍ഀ at org.apache.xmlbeans.impl.store.Xobj.setAttr(Xobj.java:559)഍ ਍ऀ愀琀 漀爀最⸀愀瀀愀挀栀攀⸀砀洀氀戀攀愀渀猀⸀椀洀瀀氀⸀猀琀漀爀攀⸀堀漀戀樀⸀愀搀搀开愀琀琀爀椀戀甀琀攀开甀猀攀爀⠀堀漀戀樀⸀樀愀瘀愀㨀㈀㈀㜀㈀⤀ഀ਍ഀ at org.openxmlformats.schemas.spreadsheetml.x2006.main.impl.CTCellImpl.setR(Unknown Source)഍ ਍ऀ愀琀 漀爀最⸀愀瀀愀挀栀攀⸀瀀漀椀⸀砀猀猀昀⸀甀猀攀爀洀漀搀攀氀⸀堀匀匀䘀䌀攀氀氀⸀猀攀琀䌀攀氀氀一甀洀⠀堀匀匀䘀䌀攀氀氀⸀樀愀瘀愀㨀㤀㄀㄀⤀ഀ਍ഀ at org.apache.poi.xssf.usermodel.XSSFRow.createCell(XSSFRow.java:226)഍ ਍ऀ愀琀 漀爀最⸀愀瀀愀挀栀攀⸀瀀漀椀⸀砀猀猀昀⸀甀猀攀爀洀漀搀攀氀⸀堀匀匀䘀刀漀眀⸀挀爀攀愀琀攀䌀攀氀氀⠀堀匀匀䘀刀漀眀⸀樀愀瘀愀㨀㈀　　⤀ഀ਍ഀ at com.lexisnexis.bis.act.export.util.ExcelUtil.generateRowCell(ExcelUtil.java:73)഍ ਍ऀ愀琀 挀漀洀⸀氀攀砀椀猀渀攀砀椀猀⸀戀椀猀⸀愀挀琀⸀攀砀瀀漀爀琀⸀甀琀椀氀⸀䔀砀挀攀氀唀琀椀氀⸀最攀渀攀爀愀琀攀刀漀眀䌀攀氀氀⠀䔀砀挀攀氀唀琀椀氀⸀樀愀瘀愀㨀㘀　⤀ഀ਍ഀ at com.lexisnexis.bis.act.export.service.ExcelService.generateRowArticleData(ExcelService.java:441)഍ ਍ऀ愀琀 挀漀洀⸀氀攀砀椀猀渀攀砀椀猀⸀戀椀猀⸀愀挀琀⸀攀砀瀀漀爀琀⸀猀攀爀瘀椀挀攀⸀䔀砀挀攀氀匀攀爀瘀椀挀攀⸀最攀渀攀爀愀琀攀刀漀眀䄀爀琀椀挀氀攀⠀䔀砀挀攀氀匀攀爀瘀椀挀攀⸀樀愀瘀愀㨀㐀　㈀⤀ഀ਍ഀ at com.lexisnexis.bis.act.export.service.ExcelService.generateRowArticle(ExcelService.java:372)഍ ਍ऀ愀琀 挀漀洀⸀氀攀砀椀猀渀攀砀椀猀⸀戀椀猀⸀愀挀琀⸀攀砀瀀漀爀琀⸀猀攀爀瘀椀挀攀⸀䔀砀挀攀氀匀攀爀瘀椀挀攀⸀最攀渀攀爀愀琀攀匀栀攀攀琀䄀爀琀椀挀氀攀猀⠀䔀砀挀攀氀匀攀爀瘀椀挀攀⸀樀愀瘀愀㨀㈀㐀㈀⤀ഀ਍ഀ at com.lexisnexis.bis.act.export.service.ExcelService.generateExport(ExcelService.java:212)഍ ਍ऀ愀琀 挀漀洀⸀氀攀砀椀猀渀攀砀椀猀⸀戀椀猀⸀愀挀琀⸀攀砀瀀漀爀琀⸀猀攀爀瘀椀挀攀⸀䔀砀挀攀氀匀攀爀瘀椀挀攀␀␀䘀愀猀琀䌀氀愀猀猀䈀礀匀瀀爀椀渀最䌀䜀䰀䤀䈀␀␀戀㔀㌀㤀戀㄀㌀㐀⸀椀渀瘀漀欀攀⠀㰀最攀渀攀爀愀琀攀搀㸀⤀ഀ਍ഀ at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)഍ ਍ऀ愀琀 漀爀最⸀猀瀀爀椀渀最昀爀愀洀攀眀漀爀欀⸀愀漀瀀⸀昀爀愀洀攀眀漀爀欀⸀䌀最氀椀戀䄀漀瀀倀爀漀砀礀␀䌀最氀椀戀䴀攀琀栀漀搀䤀渀瘀漀挀愀琀椀漀渀⸀椀渀瘀漀欀攀䨀漀椀渀瀀漀椀渀琀⠀䌀最氀椀戀䄀漀瀀倀爀漀砀礀⸀樀愀瘀愀㨀㜀㜀㄀⤀ഀ਍ഀ at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)഍ ਍ऀ愀琀 漀爀最⸀猀瀀爀椀渀最昀爀愀洀攀眀漀爀欀⸀愀漀瀀⸀昀爀愀洀攀眀漀爀欀⸀䌀最氀椀戀䄀漀瀀倀爀漀砀礀␀䌀最氀椀戀䴀攀琀栀漀搀䤀渀瘀漀挀愀琀椀漀渀⸀瀀爀漀挀攀攀搀⠀䌀最氀椀戀䄀漀瀀倀爀漀砀礀⸀樀愀瘀愀㨀㜀㐀㤀⤀ഀ਍ഀ at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:366)഍ ਍ऀ愀琀 漀爀最⸀猀瀀爀椀渀最昀爀愀洀攀眀漀爀欀⸀琀爀愀渀猀愀挀琀椀漀渀⸀椀渀琀攀爀挀攀瀀琀漀爀⸀吀爀愀渀猀愀挀琀椀漀渀䤀渀琀攀爀挀攀瀀琀漀爀⸀椀渀瘀漀欀攀⠀吀爀愀渀猀愀挀琀椀漀渀䤀渀琀攀爀挀攀瀀琀漀爀⸀樀愀瘀愀㨀㄀㄀㠀⤀ഀ਍ഀ at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)഍ ਍ऀ愀琀 漀爀最⸀猀瀀爀椀渀最昀爀愀洀攀眀漀爀欀⸀愀漀瀀⸀昀爀愀洀攀眀漀爀欀⸀䌀最氀椀戀䄀漀瀀倀爀漀砀礀␀䌀最氀椀戀䴀攀琀栀漀搀䤀渀瘀漀挀愀琀椀漀渀⸀瀀爀漀挀攀攀搀⠀䌀最氀椀戀䄀漀瀀倀爀漀砀礀⸀樀愀瘀愀㨀㜀㐀㤀⤀ഀ਍ഀ at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:691)഍ ਍ऀ愀琀 挀漀洀⸀氀攀砀椀猀渀攀砀椀猀⸀戀椀猀⸀愀挀琀⸀攀砀瀀漀爀琀⸀猀攀爀瘀椀挀攀⸀䔀砀挀攀氀匀攀爀瘀椀挀攀␀␀䔀渀栀愀渀挀攀爀䈀礀匀瀀爀椀渀最䌀䜀䰀䤀䈀␀␀㈀㄀㌀攀㈀㤀㘀㤀⸀最攀渀攀爀愀琀攀䔀砀瀀漀爀琀⠀㰀最攀渀攀爀愀琀攀搀㸀⤀ഀ਍ഀ at com.lexisnexis.bis.act.service.ArticleService.getExcelExport(ArticleService.java:2200)഍ ਍ऀ愀琀 挀漀洀⸀氀攀砀椀猀渀攀砀椀猀⸀戀椀猀⸀愀挀琀⸀猀攀爀瘀椀挀攀⸀䄀爀琀椀挀氀攀匀攀爀瘀椀挀攀␀␀䘀愀猀琀䌀氀愀猀猀䈀礀匀瀀爀椀渀最䌀䜀䰀䤀䈀␀␀昀㌀㜀㈀㌀攀昀㔀⸀椀渀瘀漀欀攀⠀㰀最攀渀攀爀愀琀攀搀㸀⤀ഀ਍ഀ at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)഍ ਍ऀ愀琀 漀爀最⸀猀瀀爀椀渀最昀爀愀洀攀眀漀爀欀⸀愀漀瀀⸀昀爀愀洀攀眀漀爀欀⸀䌀最氀椀戀䄀漀瀀倀爀漀砀礀␀䌀最氀椀戀䴀攀琀栀漀搀䤀渀瘀漀挀愀琀椀漀渀⸀椀渀瘀漀欀攀䨀漀椀渀瀀漀椀渀琀⠀䌀最氀椀戀䄀漀瀀倀爀漀砀礀⸀樀愀瘀愀㨀㜀㜀㄀⤀ഀ਍ഀ at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)഍ ਍ऀ愀琀 漀爀最⸀猀瀀爀椀渀最昀爀愀洀攀眀漀爀欀⸀愀漀瀀⸀昀爀愀洀攀眀漀爀欀⸀䌀最氀椀戀䄀漀瀀倀爀漀砀礀␀䌀最氀椀戀䴀攀琀栀漀搀䤀渀瘀漀挀愀琀椀漀渀⸀瀀爀漀挀攀攀搀⠀䌀最氀椀戀䄀漀瀀倀爀漀砀礀⸀樀愀瘀愀㨀㜀㐀㤀⤀ഀ਍ഀ at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:366)഍ ਍ऀ愀琀 漀爀最⸀猀瀀爀椀渀最昀爀愀洀攀眀漀爀欀⸀琀爀愀渀猀愀挀琀椀漀渀⸀椀渀琀攀爀挀攀瀀琀漀爀⸀吀爀愀渀猀愀挀琀椀漀渀䤀渀琀攀爀挀攀瀀琀漀爀⸀椀渀瘀漀欀攀⠀吀爀愀渀猀愀挀琀椀漀渀䤀渀琀攀爀挀攀瀀琀漀爀⸀樀愀瘀愀㨀㄀㄀㠀⤀ഀ਍ഀ at org.springframework.aop.framework.R

This works but I'm trying to filter out a service account username that is for cron tasks and is making the logs super noisy on my syslog server: Collecting event log <Input in> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Security"></Select> <Select Path="SentinelOne/Operational"></Select> <Select Path="Application">*</Select> </Query> </QueryList> </QueryXML> Exec $Message =~ s/(\t|\R)/ /g; to_syslog_bsd(); </Input> I tried Exec block filtering but any attempt to add xml code that filtered on the "Exec" line made all logs stop coming in. What would be the correct syntax for suppressing a username that's dedicated to cron tasks and is making the logs super noisy? Thanks all in advance. CB

Hi I downloaded and install nxlog-ce-3.0.2272_rhel8.x86_64.rpm on Centos 8 server I it is my first installation on centos 8. I used before only Centos 7 with nxlog. I copied input configuration from other server . and sending data to graylog But field FileName now unknown instead name of file . Rest of fields work excellent <Input log> Module im_file File &quot;/var/log/*&quot; SavePos TRUE ReadFromLast TRUE Exec $Message = $raw_event; Exec $FileName = file_name(); </Input>

Hello, I would like to modify the IIS logs for further transfer to the destination. Now I am parsing the IIS log with the xm_csv module, as in the template. UndefValue is disabled to not get empty. How can I interact with parsed data from w3c_parser? For example, I want to combine into a variable $request = '"' + $cs-method + ' ' + $cs-uri-stem + ' ' + $cs-version + '"'; such a value, but I get an error. When I try to write a field from w3c_parser to $raw_event, I also get an error. Any other data is added without error. For example $raw_event = $c-ip error $raw_event = $EventTime + ' ' + $http_host no error Thank you in advance! Example error, logs and config file below 2022-03-23 16:49:45 WARNING stopping nxlog service 2022-03-23 16:49:45 WARNING nxlog-ce received a termination request signal, exiting... 2022-03-23 16:49:56 ERROR Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:59; couldn't parse statement at line 71, character 32 in C:\Program Files\nxlog\conf\nxlog.conf; syntax error, unexpected +, expecting ( 2022-03-23 16:49:56 ERROR module 'iis_w3c' has configuration errors, not adding to route 'uds_to_file' at C:\Program Files\nxlog\conf\nxlog.conf:84 2022-03-23 16:49:56 ERROR route uds_to_file is not functional without input modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:84 2022-03-23 16:49:56 WARNING no routes defined! 2022-03-23 16:49:56 WARNING not starting unused module iis_w3c 2022-03-23 16:49:56 WARNING not starting unused module file 2022-03-23 16:49:56 INFO nxlog-ce-3.0.2272 started Current log format date time s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-bytes cs-bytes time-taken 2022-03-23 08:00:01 HOST.DOMAIN 99.XX.XX.4 GET /AnalyticsService - 443 - XX.XX.XX.XXX HTTP/1.1 Zabbix - - site.host.domain 200 3918 144 4 Required log format $http_host $remote_addr $remote_user [$time_local] UNIX-TIME-$msec "$request" $status "$sent_http_content_type" $body_bytes_sent "$http_referer" "$http_user_agent" "$http_cookie" $request_time "$upstream_addr" NGINX-CACHE-$upstream_cache_status "$request_id" "$request_body" host.domain 99.99.99.249 - [11/Mar/2022:20:09:56+0300] UNIX-TIME-1647018596.031 "GET /api/company.php?id=853747 HTTP/1.1" 200 "text/xml; charset=UTF-8" 1455 "-" "-" "20b6b325ea192383cb1244412247c5ea=3002538ef353c9daab4f742176a840; etpsid=f488b343a23d1a4a2332e089a0" 0.059 0.059 "10.10.10.111:80" NGINX-CACHE-- "d0b5ac12cf82671067aa5e6c5c" "-" Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension fileop> Module xm_fileop </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> #Create the parse rule for IIS logs. You can copy these from the header of the IIS log file. <Extension w3c_parser> Module xm_csv Fields $date, $time, $s-computername, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $cs-version, $cs(User-Agent), $cs(Cookie), $cs(Referer), $cs-host, $sc-status, $sc-bytes, $cs-bytes, $time-taken FieldTypes string, string, string, string, string, string, string, integer, string, string, string, string, string, string, string, integer, integer, integer, integer Delimiter ' ' EscapeChar '"' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension> <Extension w3c_out> Module xm_csv Fields $http_host, $c-ip, $cs-username, $EventTime1, $sc-status, $Unix FieldTypes string, string, string, string, string, string Delimiter ' ' UndefValue - QuoteMethod None </Extension> <Input iis_w3c> Module im_file File 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex*.log' SavePos TRUE <Exec> if $raw_event =~ /^#/ drop(); else { w3c_parser->parse_csv(); $EventTime = parsedate($date + " " + $time); $EventTime = $EventTime + (3 * 3600); $EventTime1 = strftime($EventTime, '[%d/%b/%Y:%H:%M:%S]'); $EventTime1 = '$EventTime1' + ' +0003]'; $Unix = integer($EventTime); $Unix = 'UNIX-TIME-' + $Unix; $http_host = &quot;site.host.domain&quot;; $request = '"' + $cs-method + ' ' + $cs-uri-stem + ' ' + $cs-version + '"'; $request = $cs-method; w3c_out-&gt;to_csv(); } &lt;/Exec&gt; </Input> <Output file> Module om_file File 'C:\inetpub\logs\LogFiles\Parser\w3c.txt' </Output> <Route uds_to_file> Path iis_w3c => file </Route>

NXLog Community edition not finding modules Hello, I am getting an error loading modules with a trivial configuration. The nxlog.conf configuration file: # ############ BEGIN nxlog.conf Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files\nxlog #define CERTDIR %ROOT%\cert #define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% <Input in> Module im_null # Module im_file </Input> <Output out> #  Module om_tcp #  Module om_file   Module om_null </Output> # Connect input 'in' to output 'out' <Route DefaultRoute> Path in => out </Route> # ############ END nxlog.conf The error: 2022-03-22 15:05:24 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:21 2022-03-22 15:05:24 ERROR module 'out' is not declared at c:\Program Files\nxlog\conf\nxlog.conf:27 2022-03-22 15:05:24 ERROR route DefaultRoute is not functional without output modules, ignored at c:\Program Files\nxlog\conf\nxlog.conf:27 2022-03-22 15:05:24 WARNING no routes defined! 2022-03-22 15:05:24 WARNING not starting unused module in If I try to load more modules with following configuration, things gets more worse: # ############ BEGIN nxlog.conf Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files\nxlog #define CERTDIR %ROOT%\cert #define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% #Moduledir %ROOT%\modules #CacheDir %ROOT%\data #Pidfile %ROOT%\data\nxlog.pid #SpoolDir %ROOT%\data # Following processors give error "...ERROR Module missing at ..." <Processor _proc_buffer>   Module pm_buffer </Processor> <Processor _proc_evcorr>   Module pm_evcorr </Processor> <Processor _proc_norepeat>   Module pm_norepeat </Processor> <Processor _proc_null>   Module pm_null </Processor> <Processor _proc_pattern>   Module pm_pattern> </Processor> <Processor _proc_transformer>   Module pm_transformer> </Processor> # Following inputs give error "...ERROR Module missing at ..." <Input _im_exec>   exec im_exec </Input> <Input _im_module>   Module im_module </Input> <Input _im_file>   file im_file </Input> <Input _im_internal>   internal im_internal </Input> <Input _im_kernel>   kernel im_kernel </Input> # Following outputs give error "...ERROR Module missing at ..." <Output _om_exec>   Module om_exec </Output> <Output _om_file>   Module om_file </Output> <Output _om_http>   Module om_http </Output> <Output _om_null>   Module om_null </Output> <Output _om_ssl>   Module om_ssl </Output> <Output _om_tcp>   Module om_tcp </Output> <Output _om_udp>   Module om_udp </Output> <Input in> Module im_null # Module im_file </Input> <Output out> #  Module om_tcp #  Module om_file   Module om_null </Output> # Connect input 'in' to output 'out' <Route DefaultRoute> Path in => out </Route> # ############ END nxlog.conf The errors: 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:21 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:24 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:27 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:30 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:33 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:36 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:42 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:45 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:48 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:51 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:54 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:59 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:62 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:65 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:68 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:71 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:74 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:77 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:87 2022-03-22 15:07:55 ERROR module 'out' is not declared at c:\Program Files\nxlog\conf\nxlog.conf:93 2022-03-22 15:07:55 ERROR route DefaultRoute is not functional without output modules, ignored at c:\Program Files\nxlog\conf\nxlog.conf:93 2022-03-22 15:07:55 WARNING no routes defined! 2022-03-22 15:07:55 WARNING not starting unused module in I get same errors on two 64 bit machines (Windows 10 and Windows Server 2012R2) Tried with processmonitor.exe to see if nxlog-processor.exe fail to load the dll module but I do not see any load attempt. I suspect that I must missing a macroscopic thing but am unable to spot it. Using nxlog-ce-3.0.2272.msi Community Edition for Windows 64 bit. Any hint will be appreciated. Regards. Carlo

I'm not sure it's causing a problem, but consistently nxlog will crash on Windows when making a call to stop the nxlog service with error "System Error 109 has occurred. The pipe has ended." I'd like to fix this if anyone knows of a way.

We are using NXLog CE's im_msvistalog module to forward Windows Event Logs from the Security log, with some filtering, to an external syslog server. Functionally this works well and does exactly what we need it to. The problem we are having is that nxlog.exe process often consumes rather high percentages of a workstation's CPU in bursts. Between 25 and 35 percent every few minutes, for around a minute at a time. This is generally too much of a performance hit and I need to find some way to resolve it. I have already mitigated the size of the event log file that nxlog.exe is querying from by clearing the Security log entirely, so this is happening even on a system with not more than a few dozen log entries to read from. The query itself is fairly simple, it loads all Event ID 4625 entries from the Security log (these are logon failures). It then has a single command to drop any logon failures that were initiated for a computer account instead of a user account (this is done by reading the target account trying to logon, string parsing the account username to see if the final character is a "$", which denotes a computer account, and dropping the log if the "$" is found). What can I do to mitigate the excessive CPU usage? What I have tried so far: clearing the Windows event log that nxlog is reading from to reduce the size of the data it needs to read from disk, using UDP syslog forwarding instead of TCP, removed the parsing that dropped Event Log ID 4625 entries where the target account being logged in was a computer account instead of a user account. None of this has helped. Edit to add: I did try writing out text logging instead of syslog forwarding. This worked but I am still experiencing the periodic excessive CPU consumption. The problem is likely in the im_msvistalog input module, I would assume.

Hi everyone! Has anyone ever installed or have some tips regarding a community edition package compatible with Oracle Linux 6? We've tried to use the package for REHL/CENTOS 6, installing all the dependencies, but no log is generated and sent to the syslog server. Thanks!